“I am trying to scare you, and I hope it is working.”

People laughed, then nodded in recognition at the idea presented by one speaker Friday morning at a Cybersecurity conference presented by the North Bay Business Journal and co-hosted by Exchange Bank.

Lou Archbold, senior consultant for the Verizon Threat Research Advisory Center, said cybercrime continues to require constant diligence and investment or business will pay a price, one which can be paid to the hackers who will find ways to compromise computer systems.

“Someone out there has my social security number and date of birth, and I guarantee you someone has yours,” said Archbold, who joined several speakers, including an FBI cybercrime expert, a partner in a firm which “stress tests” company security systems and a network engineer for a Santa Rosa IT firm, at the Santa Rosa event.

Archbold’s team responds to hacks and other attacks on business. His advice was be vigilant and have policies in place or pay a price.

“For example, are you tracking what people print? If someone prints a list of customers or a price list and walks out your door, is there a trail, a log showing what has been printed and by whom?”

Archbold said there’s a data challenge almost everywhere.

“There’s the large insurance company in which a hacker paid a cleaning crew member to plug a thumb drive in and download from the CEO’s computer. We came in and swept the CEO’s computer, then found downloads from other executives as well.”

Even seeming courtesy can be problematic. It might be easy enough for someone to copy an employee badge with an access code and get into a facility, but sometimes it is an even easier to follow someone into the building.

Archbold said he tried that and got in the door of a client’s company. “I found the second floor training room with computers, and on the white board was user name and password information. I got on to the computer and downloaded material and passed it on to the CEO,” he said. “I enjoyed that one.”

Employees, like those who open emails containing malware which can then allow hackers access to a company’s computer data, are a problem as well.

For example, someone might secure the logo of a vendor. A company receives an official looking email advising the company has changed banks, asking the company to begin sending payments to new bank routing number, siphoning off money until the fraud is discovered.

“Train your employees,” he said. “Do a phishing campaign on your own people and see who clicks and opens those emails.”

Get those people into training, he added. “And if an employee gets one of those emails and reports it, give them a reward, like a gas card. Word will get around.”

David Trepp, a partner in IT Assurance, BPM, who is involved in testing for hacking vulnerabilities, said the costs of not addressing security is more than just paying someone to fix it. There’s the cost of legal problems related to data breaches.

As an example, on TTE, Uber is paying $148 million to settle claims over the ride-hailing company’s cover-up of a data breach in 2016, when hackers stole personal information of some 25 million customers and drivers in the U.S.

Businesses face “plenty of regulatory obligations” to handle and prevent data breaches. Many appoint someone to the role of information security officer who had direct reporting responsibilities to the CEO.

From being careful about opening emails to complying with restrictive policies, “info security can make everyones job more difficult so you are never going to see it start in the rank and file.”

“Business leaders worry about bottom line and these are things that are expensive and slow down the business.”

If they do not heed the warning, “then just add them to the list of people (or companies) we know are going to be breached.”

Eric Haugen, a senior network engineer with KLH Consulting in Santa Rosa, said “the days of installing a firewall and calling your company secure are long gone.” Companies need to make policies which make it clear how to report a security concern and even how to protect data by using privacy screen on monitors to restrict looking over one’s shoulder in the office.

He added keeping current on patches for security system, even on websites and having practices of requiring changing passwords ever 30 to 90 days are critical.

Dave Minami,special agent on cybercrime at the FBI’s San Francisco office, said top threats for cybercrime are “business email compromise”—someone compromises business data and can then arrange to transfer funds.

Just one such 2015 attack led to the loss of $17.2 million by an Omaha-based company. “Bank robbers don’t rob banks anymore,” he stated, “they hide behind their computer screens and cover their digital tracks.”

Such wire transfers can sometimes be thwarted if companies contact the FBI which can then work internationally or domestically.

Any company must first contact their financial institution, as well as the FBI, and file a complaint with ic3.gov, he said.

International recovery by this “financial kill chain” process amounted to $331 million between 2014 and May 2018; domestically, the amount was $100 million (February through June 2018).

“Your money or your data” is the other business threat. It is ransomware. Gaining access to company’s data, the criminals encrypt that data. To get it back, businesses must pay up.

Damages have skyrocketed from the crime, from $325 million in 2015 to $5 billion paid globally in 2017.